aws_flow_log
Use the aws_flow_log
InSpec audit resource to test properties of a single Flow Log.
Syntax
describe aws_flow_log(flow_log_id: 'fl-9c718cf5') do
it { should exist }
end
Parameters
This resource requires at least one of the following parameters to be provided: flow_log_id
, subnet_id
, vpc_id
.
flow_log_id (required if no other parameters provided)
The Flow Log ID which uniquely identifies the Flow Log.
This can be passed either as a string or as a flow_log_id: 'value'
key-value entry in a hash.
subnet_id (required if no other parameters provided)
The subnet associated with the Flow Log, if applicable.
This must be passed as a subnet_id: 'value'
key-value entry in a hash.
vpc_id (required if no other parameters provided)
The VPC associated with the Flow Log, if applicable.
This must be passed as a vpc_id: 'value'
key-value entry in a hash.
See also the AWS documentation on Flow Logs.
Properties
Property | Description |
---|---|
flow_log_id | The ID of the Flow Log. |
log_group_name | The name of the associated log group. |
resource_id | The ID of the assosiated resource, e.g. VPC, Subnet or Network Interface. |
Examples
Search for a flow log by the associated subnet id
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
it { should exist }
end
Search for a flow log by the associated VPC id
describe aws_flow_log(vpc_id: 'vpc-96cabaef') do
it { should exist }
end
Ensure the correct Flow Log is associated with a Subnet
describe aws_flow_log(subnet_id: 'subnet-c6a4319c') do
its('flow_log_id') { should cmp 'fl-9c718cf5' }
end
Ensure the Flow Log is associated with the correct resource type
describe aws_flow_log('fl-9c718cf5') do
its('resource_type') { should cmp 'subnet' }
end
Matchers
For a full list of available matchers, please visit our matchers page.
exist
The control will pass if the describe returns at least one result.
Use should_not
to test the entity should not exist.
describe aws_flow_log('AnExistingFlowLog') do
it { should exist }
end
describe aws_flow_log('ANonExistentFlowLog') do
it { should_not exist }
end
be_attached_to_eni
Indicates that the Flow Log is attached to a ENI resource.
describe aws_flow_log('fl-9c718cf5') do
it { should be_attached_to_eni }
end
be_attached_to_subnet
Indicates that the Flow Log is attached to a subnet resource.
describe aws_flow_log('fl-9c718cf5') do
it { should be_attached_to_subnet }
end
be_attached_to_vpc
Indicates that the Flow Log is attached to a vpc resource.
describe aws_flow_log('fl-9c718cf5') do
it { should be_attached_to_vpc }
end
AWS Permissions
Your Principal will need the ec2:DescribeFlowLogs
actions with Effect set to Allow.